Recent Features
| |||||||||||||
8 million leaked passwords connected to LinkedIn, dating website (ars technica)8 million leaked passwords connected to LinkedIn, dating website (ars technica)Posted Jun 7, 2012 13:31 UTC (Thu) by slashdot (guest, #22014)Parent article: 8 million leaked passwords connected to LinkedIn, dating website (ars technica)
Having an hash of one of your passwords distributed is totally harmless if it was a long randomly-generated password as it should be.
Of course they might have got cleartext password as well since they compromised their systems, and that would be a good reason for changing.
(Log in to post comments)
8 million leaked passwords connected to LinkedIn, dating website (ars technica) Posted Jun 7, 2012 22:21 UTC (Thu) by kmself (subscriber, #11565) [Link]
Not entirely harmless.
It tells the attackers which hashes are of value (e.g.: are used).
Since this hashlist was unsalted, it would also make it possible to compare directly with other unsalted hashes (a too-common occurrence) and determine which hashes were worth attempting to brute force in order to gain access to multiple systems.
I'd strongly recommend changing your password for something long, random, and unique.
8 million leaked passwords connected to LinkedIn, dating website (ars technica) Posted Jun 8, 2012 11:15 UTC (Fri) by dps (subscriber, #5725) [Link]
If I had lots of unique random passwords then I would have to write them down, which is also on the list of things not to do. I, like many other people, reuse a few which I know and should resist dictionary attacks.
Some things are sufficiently important to merit their own password but most don't. You wont find a list of my passwords and where to apply them outside my head but some of those places are easy to guess.
There is no excuse for using plain text or unsalted password hashes. Just because M$ windows uses unsalted plain text equivalent password hashes does not mean you should too.
8 million leaked passwords connected to LinkedIn, dating website (ars technica) Posted Jun 8, 2012 11:28 UTC (Fri) by paulj (subscriber, #341) [Link]
Writing passwords down is a *good* thing, if it allows you to increase your security. E.g., if you have to choose between re-using passwords across various not-terribly-trustworthy websites OR writing them down so that you can use a unique (preferably random) password for each site, then the latter option is better. Most browsers have password-storage features to make this easier (I don't trust such a feature alone though, I will also write them down elsewhere - having been burned by browsers changing the format of such storage before).
Your memory does not scale. You can only remember a small number of passwords. So you should use these few passwords only for a few of your most sensitive accounts.
8 million leaked passwords connected to LinkedIn, dating website (ars technica) Posted Jun 8, 2012 19:26 UTC (Fri) by dlang (✭ supporter ✭, #313) [Link]
relying on the browser to store your passwords only works if you only use one machine/browser to access things.
8 million leaked passwords connected to LinkedIn, dating website (ars technica) Posted Jun 8, 2012 22:03 UTC (Fri) by paulj (subscriber, #341) [Link]
Browsers can be configured to store passwords on central servers these days.
8 million leaked passwords connected to LinkedIn, dating website (ars technica) Posted Jun 8, 2012 22:13 UTC (Fri) by dlang (✭ supporter ✭, #313) [Link]
how much do you trust the provider of that central server?
are you willing to have no access to any of the sites if there is a problem getting to that one server?
8 million leaked passwords connected to LinkedIn, dating website (ars technica) Posted Jun 8, 2012 23:25 UTC (Fri) by paulj (subscriber, #341) [Link]
I'm willing to trust the operator of that one server, more than any of the many sites that want passwords. I believe they have very good backup systems, however I also have my own local backup.
8 million leaked passwords connected to LinkedIn, dating website (ars technica) Posted Jun 8, 2012 23:28 UTC (Fri) by dlang (✭ supporter ✭, #313) [Link]
it's not just having backups, it's keeping your data safe (both from outsiders and insiders)
if someone gets those passwords, they get access to everything.
8 million leaked passwords connected to LinkedIn, dating website (ars technica) Posted Jun 8, 2012 23:34 UTC (Fri) by paulj (subscriber, #341) [Link]
The servers are run by the same organisations who provide the code for the browsers, that I run and use to access those websites. So I already trust them quite a lot, whether I realise it or not.
8 million leaked passwords connected to LinkedIn, dating website (ars technica) Posted Jun 8, 2012 23:43 UTC (Fri) by dlang (✭ supporter ✭, #313) [Link]
trusting them to not have something in the code that sends a copy of the passwords out to them secretly is one thing (especially with people interested in watching what browsers send out, and the code being available for inspection)
trusting them to not have any insiders who would be interested in your bank's account and passoword, and to keep their systems secure enough to prevent outsiders who are interested in your bank's account and password is something very different.
Yes, I'm one of those paranoid folks who doesn't even let my browser remember passwords locally on my system. :-)
8 million leaked passwords connected to LinkedIn, dating website (ars technica) Posted Jun 8, 2012 23:54 UTC (Fri) by paulj (subscriber, #341) [Link]
I don't let my browser store credentials for any highly-sensitive web-sites, like online banking (and anyway, my online banking login is deliberately designed so that browser credential-storing can't work). Highly-sensitive credentials like that I keep only in my head.
8 million leaked passwords connected to LinkedIn, dating website (ars technica) Posted Jun 9, 2012 0:48 UTC (Sat) by martinfick (subscriber, #4455) [Link]
Oh I hate when they do that, etrade used to, but they quit. I complained to them that it actually makes things less secure. I suspect that they eventually agreed.
Seeing as phishing is a very common theme, having to type your password over and over again makes you very succeptible to it. At least when your browser remembers your password you won't likely accidentaly type it into a phishing site. If your browser remembers the password for you, and you visit what you think is your commonly accessed site, and your browser does not auto populate your password, it should send up red flags in your head: "why does it not remember my password?" Oh perhaps because I misstyped and that isn't really an etrade url!
8 million leaked passwords connected to LinkedIn, dating website (ars technica) Posted Jun 11, 2012 8:51 UTC (Mon) by jezuch (subscriber, #52988) [Link]
> Oh perhaps because I misstyped and that isn't really an etrade url!
Then don't type the address? Always access the site via bookmarks or maybe rely on the browser's autocompletion (based on bookmarks and/or browsing history). And, of course, never, ever click on links in email.
8 million leaked passwords connected to LinkedIn, dating website (ars technica) Posted Jun 9, 2012 15:20 UTC (Sat) by Cyberax (✭ supporter ✭, #52523) [Link]
At least Firefox uses a master password to encrypt password data uploaded to the cloud storage.
|
|||||||||||||